TikTok Vulnerability Could Have Let Hackers Access Users’ Videos (Jan 8, 2019)
Vulnerabilities have been discovered within the popular video sharing app “TikTok,” allowing app users to receive spoofed text messages from malicious actors that appear to come from the company. Researchers at Check Point found that it is possible to send links via SMS text messages to TikTok users that appear to be sent directly from TikTok. Once a user clicks the fake link within the text, the malicious actor has access to parts of the user’s TikTok account, allowing the actor to change public and private sharing settings, as well as upload and delete videos. The infrastructure allowed a malicious actor to redirect the user to a malicious website designed to look like TikTok’s homepage, which could have been combined with cross-site scripting and other attacks on the user account. Check Point notified TikTok about the security vulnerabilities in November, and TikTok has since fixed the vulnerabilities in it’s latest version of the app released January 3, 2020. TikTok has close to 1.5 billion global users, and could be highly targeted due to the amount of potentially private information being transferred through the app.
Recommendation: A patch for these vulnerabilities has been issued by TikTok with their latest version. All users could have updates installed automatically, so they do not forget or delay when these critical patches are available. Applications that are for personal use only, such as TikTok, should be scrutinized and carefully researched before installation, and users should avoid using such applications on their business devices.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.